Secure computation device, secure computation authentication system, secure computation method, and program

ABSTRACT

A secure computation device obtains a first concealed verification value [z]i=[w−ω]i with secure computation by using concealed authentication information [w]i which is preliminarily stored and concealed authentication information [ω]i which is inputted, obtains a concealed extension field random number [rm]i [Fε] which is a secret sharing value of an extension field random number rm, obtains a second concealed verification value [ym]i in which ym is concealed with secure computation by using the first concealed verification value [z]i, and obtains a third concealed verification value [rmym]i with secure computation by using the concealed extension field random number [rm]i and the second concealed verification value [ym]i and outputs the third concealed verification value [rmym]i.

TECHNICAL FIELD

The present invention relates to a secure computation technique andespecially relates to a secure computation authentication technique forperforming authentication processing with secure computation.

BACKGROUND ART

Use of a secure computation technique (see Non-patent Literature 1, forexample) enables authentication processing to be performed while keepingauthentication information (for example, a password) secret. A simplemethod is a method for computing a concealed verification value[w−ω]_(i) corresponding to w−ω with secure computation by usingconcealed authentication information [w] of registered authenticationinformation w and concealed authentication information [ω] of inputtedauthentication information ω. w=ω (successful authentication) isestablished when w−ω=0 and w≠ω (failed authentication) is establishedwhen w−ω≠0. Thus, the concealed verification value [w−ω] represents aconcealed value of an authentication result.

PRIOR ART LITERATURE Non-Patent Literature

-   Non-patent Literature 1: Ivan Damgard, Matthias Fitzi, Eike Kiltz,    Jesper Buus Nielsen, Tomas Toft, “Unconditionally Secure    Constant-Rounds Multi-party Computation for Equality, Comparison,    Bits and Exponentiation”, TCC 2006, pp. 285-304.

SUMMARY OF THE INVENTION Problems to be Solved by the Invention

However, the above-described method has a problem of low level ofsecurity against spoofing. In other words, in the case where anunauthorized concealed verification value, with which 0 is reconstructedeven when w−ω≠0, is computed, authentication is determined to besuccessful even though w−ω≠0. Further, authentication information w andω are kept secret, so that detecting such an unauthorized concealedverification value is difficult.

An object of the present invention is to provide a technique forperforming authentication processing with high level of security againstspoofing while keeping authentication information secret.

Means to Solve the Problems

A secure computation device stores concealed authentication information[w]_(i)∈[F]^(L) which is a secret sharing value of authenticationinformation w; receives input of concealed authentication information[ω]_(i)∈[F]^(L) which is a secret sharing value of authenticationinformation ω; obtains a first concealed verification value[z]_(i)=[w−ω]_(i) with secure computation by using the concealedauthentication information [w]_(i) and the concealed authenticationinformation [ω]_(i); obtains a concealed extension field random number[r_(m)]_(i)∈[F^(ε)] which is a secret sharing value of an extensionfield random number r_(m); obtains a second concealed verification value[y_(m)]_(i) in which y_(m) is concealed with secure computation by usingthe first concealed verification value [z]_(i); and obtains a thirdconcealed verification value [r_(m)y_(m)]_(i) with secure computation byusing the concealed extension field random number [r_(m)]_(i) and thesecond concealed verification value [y_(m)]_(i) and outputs the thirdconcealed verification value [r_(m)y_(m)]_(i). Here, L is an integerwhich is 1 or greater, ε is an integer which is 2 or greater, F is afinite field, F^(ε) is an extension field of the finite field F, anextension degree of the extension field F^(ε) is ε, ceil(x) is a minimuminteger which is equal to or greater than a real number x, M=ceil(L/F)holds, j=0, . . . , L−1 holds, m=0, . . . , M−1 holds, z=(z₀, . . . ,z_(L))=w−ω holds, z_(j)∈F holds, y_(m)=(z_(εm), . . . , z_(ε(m+1)-1))holds for m=0, . . . , M−1, and z_(q) by which q>L−1 is establishedamong q=ε(M−1), . . . , εM−1 is 0.

Effects of the Invention

Authentication processing with high level of security against spoofingcan be performed while keeping authentication information secret.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating the functional configuration of asecure computation authentication system according to embodiments.

FIG. 2 is a block diagram illustrating the functional configuration of asecure computation device according to the embodiments.

FIG. 3A is a block diagram illustrating the functional configuration ofa user device according to the embodiments. FIG. 3B is a block diagramillustrating the functional configuration of a verification deviceaccording to the embodiments.

FIG. 4 is a flow diagram for explaining processing of the user deviceaccording to the embodiments.

FIG. 5 is a flow diagram for explaining processing of the securecomputation device according to the embodiments.

FIG. 6 is a flow diagram for explaining processing of the verificationdevice according to the embodiments.

FIG. 7 is a conceptual diagram for explaining processing according tothe embodiments.

DETAILED DESCRIPTION OF THE EMBODIMENTS

Embodiments of the present invention are described below with referenceto the accompanying drawings.

[General Outline]

A secure computation authentication system according to the embodimentsincludes N pieces of (a plurality of pieces of) secure computationdevices P₁, . . . , P_(N) and a verification device. The verificationdevice may be a device external to the N pieces of secure computationdevices P₁, . . . , P_(N) or may be a device incorporated in any securecomputation device P_(i). Each secure computation device P_(i) storesconcealed authentication information [w]_(i)∈[F]L which is a secretsharing value of authentication information w in a storage. Here, i=1, .. . , N holds and N is an integer which is 2 or greater. “β₁∈β₂”represents that β₁ belongs to P₂. F denotes a finite field and L denotesan integer which is 1 or greater. The finite field F may be a primefield or may be an extension field. For example, L is an integer whichis 2 or greater. [F] denotes a secret sharing value of an element of thefinite field F and [F]^(L) denotes a set composed of L pieces of [F].[α]_(i) denotes a secret sharing value of a assigned to the securecomputation device P_(i). Authentication information w is preliminarilyregistered for a qualified user. Authentication information w is notlimited and may be any information such as a password, biometricauthentication information, voice authentication information, andpattern authentication information. Each secure computation device P_(i)may store concealed authentication information [w]_(i) respectivelycorresponding to a plurality of pieces of authentication information wor may store only concealed authentication information [w]_(i)corresponding to a single piece of authentication information w. Asecret sharing scheme for obtaining a secret sharing value is notlimited and a well-known (K, N) secret sharing scheme (also referred toas a “K-out-of-N threshold secret sharing scheme”) such as a replicatedsecret sharing scheme (see Reference Literature 1, for example) andShamir's secret sharing scheme (see Reference Literature 2, for example)may be employed. Here, K is an integer which is 2 or greater andsatisfies K≥N. For example, K=2 holds. In the (K, N) secret sharingscheme, concealed secret information can be reconstructed if arbitrary Kpieces of secret sharing values which are different from each other areprovided, but any information of secret information cannot be obtainedeven if arbitrary K−1 pieces of secret sharing values are provided.Shamir's secret sharing scheme which is the (K, N) secret sharing schemeis referred to as a “(K, N) Shamir's secret sharing scheme” below.

-   Reference Literature 1: Dai Ikarashi, Koji Chida, Koki Hamada,    Katsumi Takahashi, “Secure Database Operations Using An Improved    3-party Verifiable Secure Function Evaluation”, In SCIS 2011, 2011.-   Reference Literature 2: A. Shamir, “How to Share a Secret”,    Communications of the ACM, November 1979, Volume 22, Number 11, pp.    612-613.

Concealed authentication information [ω]_(i)∈[F]^(L) which is a secretsharing value of authentication information ω is inputted into an inputunit of each secure computation device P_(i). An arithmetic unit of eachsecure computation device P; obtains a first concealed verificationvalue [z]_(i)=[w−ω]_(i) with secure computation by using the concealedauthentication information [w]_(i) and the concealed authenticationinformation [ω]_(i) and outputs the first concealed verification value[z]_(i). [w−ω]_(i) denotes a secret sharing value of w−ω. A securecomputation method is not limited and a well-known secure computationmethod described in Non-patent Literature 1 and Reference Literature 3,for example, may be employed. The same goes for the following securecomputation

-   Reference Literature 3: Koji Chida, Koki Hamada, Dai Ikarashi,    Katsumi Takahashi, “A Three-party Secure Function Evaluation with    Lightweight Verifiability Revisited”, In CSS, 2010.

A random number generation unit of each secure computation device P_(i)obtains and outputs a concealed extension field random number[r_(m)]_(i) [F^(ε)] which is a secret sharing value of an extensionfield random number r_(m)∈F^(ε). Here, ε denotes an integer which is 2or greater, F^(ε) denotes an extension field of the finite field F, andan extension degree of the extension field F^(ε) is ε. ceil denotes aceiling function and ceil(x) denotes the minimum integer which is equalto or greater than a real number x. m=0, . . . , M−1 holds andM=ceil(L/ε) is satisfied. M denotes an integer which is 1 or greater.For example, M is an integer which is 2 or greater. The concealedextension field random number [r_(m)]_(i) has to be generated in a statethat the extension field random number r_(m) is concealed from anysecure computation device P_(i). Such a method is well known and anymethod may be employed. For example, the secure computation devices P₁,. . . , P_(N) can generate the concealed extension field random number[r_(m)]_(i) in a coordinated manner. For instance, each securecomputation device P_(i), computes a secret sharing value[r_(m,i′)]_(i)∈[F^(ε) ] of an extension field random number r_(m,i′) andsends the secret sharing value [r_(m,i′)]_(i) to the secure computationdevice P_(i) (where i=1, . . . , N, i′=1, . . . , N, and i′≠i), and eachsecure computation device P; obtains [r_(m)]_(i)=[r_(m,1)+ . . .+r_(m,N)]_(i) with secure computation using secret sharing values[r_(m,1)]_(i), . . . , [r_(m,N)]_(i).

The arithmetic unit of each secure computation device P_(i) obtains asecond concealed verification value [y_(m)]_(i) in which y_(m) isconcealed with secure computation using the first concealed verificationvalue [z]_(i) and outputs the second concealed verification value[y_(m)]_(i). Here, z=(z₀, . . . , z_(L-1))=w−ω, z_(j)∈F, and j=0, . . ., L−1 hold, y_(m)=(z_(εm), . . . , z_(ε(m+1)-1)) holds for m=0, . . . ,M−1, and z_(q) with which q>L−1 is established in q=ε(M−1), . . . , εM−1is 0. z_(q) with which q>L−1 is established may be expressed as z_(q)=0(that is, z_(q) may be padded with 0) or information representing thatz_(q) with which q>L−1 is established is 0 may be added. The arithmeticunit of each secure computation device P_(i) may obtain each secondconcealed verification value [y_(m)]_(i) by dividing a sequencerepresenting the first concealed verification value [z]_(i). If there isno z_(q) with which q>L−1 is established, for example, the arithmeticunit of each secure computation device P_(i) may divide the firstconcealed verification value [z]_(i)=[y₀]_(i)| . . . |[y_(M-1)]_(i) intoM pieces so as to obtain [y₀]_(i), . . . , [y_(M-1)]_(i). Here, α₁|α₂represents concatenation between α₁ and α₂. If there is z_(q) with whichq>L−1 is established, the arithmetic unit of each secure computationdevice P_(i) may divide the first concealed verification value[z]_(i)=[y₀]_(i)| . . . |[y_(M-2)]_(i)|[y′_(M-1)]_(i) into [y₀]_(i), . .. , [y_(M-2)]_(i), [y′_(M-1)]_(i) and obtain a secret sharing value [0,. . . , 0], of z_(q)=0 for q>L−1 or a secret sharing value [0, . . . ,0]_(i) of information representing that z_(q) with which q>L−1 isestablished is 0 so as to establish [y_(M-1)]_(i)=[y′_(M-1)]_(i)|[0, . .. , 0]_(i).

The second concealed verification value [y_(m)]_(i) can be handled as asecret sharing value conforming to the (K, N) Shamir's secret sharingscheme on the extension field F^(ε) of the order ε. The case of K=2 isexplained. It is assumed that y_(m)=(z_(εm), . . . , z_(ε(m+1)-1)) isobtained by expressing an element of the extension field of the order εby a vector. That is, it is dealt as y_(m)=(z_(εm), . . . ,z_(ε(m+1)-1))∈F^(ε). The secret sharing value [y_(m)]_(i) obtained byperforming secret sharing of y_(m)=(z_(εm), . . . , z_(ε(m+1)-1))∈F^(ε)in accordance with the (2, N) Shamir's secret sharing scheme on theextension field F^(ε) of the order ε is expressed as follows.

$\begin{matrix}\begin{matrix}{\left\lbrack y_{m} \right\rbrack_{i} = {y_{m} +_{y}{s_{m} \cdot I}}} \\{= \left( {{z_{ɛ\; m} +_{y}{s_{m,0} \cdot i}},\ldots \mspace{14mu},{z_{{ɛ{({m + 1})}} - 1} +_{y}{s_{m,{ɛ - 1}} \cdot i}}} \right)}\end{matrix} & (1)\end{matrix}$

This is because a polynomial for obtaining a secret sharing value inaccordance with the (2, N) Shamir's secret sharing scheme on theextension field F^(ε) of the order ε can be assumed to beg(χ)=y₀+_(y)s_(m)·χ∈F^(ε). Here, _(y)s_(m,0), . . . , _(y)s_(m,ε-1) arerespective members on a vector expression _(y)s_(m)=(_(y)s_(m,0), . . ., _(y)s_(m,ε-1))∈F^(ε) of an extension field random number_(y)s_(m)∈F^(ε), and a vector expression of a coordinate axis I∈F^(ε)corresponding to i is I=(i, 0, . . . , 0)∈F^(ε). Coordinate axis χ=(η,0, . . . , 0)∈F^(ε) holds and η denotes an integer variable. g(I)obtained when χ=I=(i, 0, . . . , 0) is [y_(m)]_(i) and g(0) obtainedwhen χ=0=(0, 0, . . . , 0) is y_(m). As expressed in formula (1), thissecret sharing value [y_(m)]_(i) is an element of the extension fieldF^(ε) of the order ε. Here, when y_(m)∈F^(ε), _(y)s_(m)∈F^(ε), andI∈F^(ε) are expressed in a polynomial, the following is obtained.

y _(m) =z _(εm) +z _(εm+1) ·X+ . . . +z _(ε(m+1)-1) ·X ^(ε-1)

_(y) s _(m) =s _(m,0) +s _(m,1) ·X+ . . . + _(y) s _(m,ε-1) ·X ^(ε-1)

I=i+0·X+ . . . + ₀ ·X ^(ε-1)

Accordingly, when y_(m)+_(y)s_(m)·I∈F^(ε) is expressed in a polynomial,the following is obtained.

$\begin{matrix}\begin{matrix}{\mspace{11mu} {{y_{m} +_{y}{s_{m} \cdot I}} = {z_{ɛ\; m} + {z_{{ɛ\; m} + 1} \cdot X} + \ldots + {z_{{ɛ{({m + 1})}} - 1} \cdot X^{ɛ - 1}} +}}} \\{\left( {s_{m,0} + {s_{m,1} \cdot X} + \ldots  +_{y}{s_{m,{ɛ - 1}} \cdot X^{ɛ - 1}}} \right)} \\{\left( {i + {0 \cdot X} + \ldots  +_{0}{\cdot X^{ɛ - 1}}} \right)} \\{= {z_{ɛ\; m} + {z_{{ɛ\; m} + 1} \cdot X} + \ldots + {z_{{ɛ{({m + 1})}} - 1} \cdot X^{ɛ - 1}} +}} \\{{{s_{m,0} \cdot I} + {s_{m,1} \cdot I \cdot X} + \ldots  +_{y}{s_{m,{ɛ - 1}} \cdot I \cdot X^{ɛ - 1}}}} \\{= {z_{ɛ\; m} + {s_{m,0} \cdot I} + {\left( {z_{{ɛ\; m} + 1} + {s_{m,1} \cdot I}} \right) \cdot X} + \ldots +}} \\{{\left( {z_{{ɛ{({m + 1})}} - 1} +_{y}{s_{m,{ɛ - 1}} \cdot I}} \right) \cdot X^{ɛ - 1}}}\end{matrix} & (2)\end{matrix}$

Here, X satisfies ρ(X)=0 for an irreducible polynomial ρ(X) on thefinite field F. Vectors whose members are respective coefficients offormula (2) are (z_(εm)+_(y)s_(m,0)·i, . . . ,z_(ε(m+1)-1)+_(y)s_(m,ε-1)·i). This shows that formula (1) is obtainedwhen y_(m)+_(y)s_(m)·I∈F^(ε) is expressed in a vector.

A simple example is described in which L=2, ε=2, K=2, and N=3 hold andthe finite field F is a prime field GF(5) of an order 5. When secretsharing of z₀=0 and z₁=0 is performed by a (2, 3) Shamir's secretsharing scheme on the prime field GF(5), examples of a z₀ secret sharingvalue and a z₁ secret sharing value corresponding to the securecomputation device P_(i) are respectively f₀(i)=z₀+2i mod 5 andf₁(i)=z₁+i mod 5. Here, M=ceil(2/2)=1 holds and the second concealedverification value [y₀]_(i)=[(z₀, z₁)]_(i) is expressed as[y₀]_(i)=[(z₀+2i mod 5, z₁+i mod 5)]_(i). That is, [y₀]_(i)=[(2, 1)]₁,[y₀]₂=[(4, 2)]₂, and [y₀]₃=[(1, 3)]₃ are established. Here, the secondconcealed verification value [y₀]_(i) may be handled as a secret sharingvalue conforming to Shamir's secret sharing scheme on a quadraticextension field of GF(5): F^(ε) =GF(5²). This is because a polynomialfor obtaining a secret sharing value in accordance with the (2, N)Shamir's secret sharing scheme can be assumed to beg(χ)=y₀+_(y)s_(m)·χ∈GF(5²). Here, it is assumed that secret informationy₀=(z₀, z₁), a random number _(y)s_(m)=(2, 1), and the coordinate axisχ=(η, 0) hold. η denotes an integer variable, g(I) obtained when χ=I=(i,0) is [y₀]_(i), and g(0) obtained when χ=(0, 0)=0 is y₀. Thus, thesecond concealed verification value [y_(m)]_(i) can be handled as asecret sharing value conforming to the (K, N) Shamir's secret sharingscheme on the extension field F^(ε) of the order ε.

The arithmetic unit of each secure computation device P; obtains a thirdconcealed verification value [r_(m)y_(m)]_(i) with secure computation byusing the concealed extension field random number [r_(m)]_(i) and thesecond concealed verification value [y_(m)]_(i) and outputs the thirdconcealed verification value [r_(m)y_(m)]_(i). As described above, whenthe concealed authentication information [w]_(i) is a secret sharingvalue conforming to the (K, N) Shamir's secret sharing scheme, theconcealed authentication information [ω]_(i) is a secret sharing valueconforming to the (K, N) Shamir's secret sharing scheme, each secondconcealed verification value [y_(m)]_(i) is obtained by joining membersof a sequence representing the first concealed verification value[z]_(i), and the concealed extension field random number [r_(m)]_(i) isa secret sharing value conforming to the (K, N) Shamir's secret sharingscheme, the arithmetic unit of each secure computation device P; canobtain the third concealed verification value [r_(m)y_(m)]_(i) by usingthe second concealed verification value [y_(m)]_(i) as a secret sharingvalue conforming to the (K, N) Shamir's secret sharing scheme. Thearithmetic unit of each secure computation device P_(i) performscomputation (multiplication on the extension field F^(ε)) of[r_(m)y_(m)]_(i)=[r_(m)]_(i)[y_(m)]_(i), for example. Two multiplicationresults of secret sharing values conforming to the (K, N) Shamir'ssecret sharing scheme are secret sharing values conforming to a (2K−1,N) Shamir's secret sharing scheme. Accordingly, the third concealedverification value [r_(m)y_(m)]_(i) obtained as the above is a secretsharing value conforming to the (2K−1, N) Shamir's secret sharingscheme. When K=2, for example, the third concealed verification value[r_(m)y_(m)]_(i) is a secret sharing value conforming to a (3, N)Shamir's secret sharing scheme. That is, a secret sharing value[r_(m)]_(i) obtained by performing secret sharing of r_(m)∈F^(ε) inaccordance with the (2, N) Shamir's secret sharing scheme on theextension field F^(ε) of the order ε is expressed as the following, asis the case with formula (1).

[r _(m)]_(i) =r _(m)+_(r) s _(m) ·I  (3)

Here, _(r)s_(m)∈F^(ε) represents an extension field random number.Formula (2) and formula (3) show that the following can be satisfied.

$\begin{matrix}\begin{matrix}{\left\lbrack {r_{m}y_{m}} \right\rbrack_{i} = {\left\lbrack r_{m} \right\rbrack_{i}\left\lbrack y_{m} \right\rbrack}_{i}} \\{= {\left( {y_{m} +_{y}{s_{m} \cdot I}} \right)\left( {r_{m} +_{r}{s_{m} \cdot I}} \right)}} \\{= {{{r_{m} \cdot y_{m}} + {\left( {{r_{m} \cdot_{y}s} +_{r}{s \cdot y_{m}}} \right) \cdot I} +_{r}{s \cdot_{y}s \cdot I^{2}}} \in F^{ɛ}}}\end{matrix} & (4)\end{matrix}$

This shows that [r_(m)y_(m)]_(i) is a secret sharing value of r_(m)y_(m)conforming to the (3, N) Shamir's secret sharing scheme. This is becausea polynomial for obtaining a secret sharing value in accordance with the(3, N) Shamir's secret sharing scheme on the extension field F^(ε) ofthe order ε can be assumed to beg′(χ)=r_(m)·y_(m)+(r_(m)·_(y)s+_(r)s·y_(m))·×+_(r)s·_(y)s·χ²∈F^(ε), andaccordingly, g′(I) obtained when x=I=(i, 0, . . . , 0) is[r_(m)y_(m)]_(i) and g′(0) obtained when χ=0=(0, 0, . . . , 0) isr_(m)·y_(m).

Here, third concealed verification values [r₀y₀]_(i), . . . ,[r_(M-1)y_(M-1)]_(i) may be outputted as concealed values ofauthentication results (scheme 1). However, if each secure computationdevice P further performs the following processing, security can befurther enhanced (scheme 2). In the scheme 2, the random numbergeneration unit of each secure computation device P_(i) further obtainsa second concealed extension field random number[R_(m)]_(i)=R_(m)+_(R)s_(m)·I∈F^(ε) which is a secret sharing value of asecond extension field random number R_(m)∈F^(ε) in accordance with the(2, N) Shamir's secret sharing scheme on the extension field F^(ε) ofthe order ε and outputs the second concealed extension field randomnumber [R_(m)]_(i). As is the case with the above-described generationof the concealed extension field random number [r_(m)]_(i), the secondconcealed extension field random number [R_(m)]_(i) has to be generatedin a state that the second extension field random number R_(m) isconcealed from any secure computation device P_(i). Such a method iswell-known and any method may be employed. The arithmetic unit of eachsecure computation device P_(i) subsequently obtains an extension fieldmultiplication value [R_(m)]_(i)·I=R_(m)·I+_(R)s_(m)·I∈F^(ε) by usingthe second concealed extension field random number [R_(m)]_(i) and I andoutputs the extension field multiplication value [R_(m)]_(i)·I. Thearithmetic unit of each secure computation device P_(i) further obtainsa fourth concealed verification value[r_(m)y_(m)]_(i)+[R_(m)]_(i)·I=r_(m)·y_(m)+(r_(m)·_(y)s_(m)+_(r)s_(m)·y_(m)+R_(m))·I+(_(r)s_(m)·_(y)s_(m)+_(R)s_(m))·I₂∈F^(ε)by using the third concealed verification value [r_(m)y_(m)]_(i) and theextension field random number [R_(m)]_(i)·I and outputs the fourthconcealed verification value [r_(m)y_(m)]_(i)+[R_(m)]_(i) I. Here,[r_(m)y_(m)]_(i)+[R_(m)]_(i)·I is a secret sharing value of r_(m)·y_(m)conforming to the (3, N) Shamir's secret sharing scheme on the extensionfield F^(ε) of the order ε. This is because a polynomial for obtaining asecret sharing value in accordance with the (3, N) Shamir's secretsharing scheme on the extension field F^(ε) of the order ε can beassumed to beg″(χ)=r_(m)·y_(m)+(r_(m)·_(y)s_(m)+_(r)s_(m)·y_(m)+R_(m))·χ+(_(r)s_(m)·_(y)s_(m)+_(R)s_(m))·χ²∈F^(ε),and accordingly, g′(I) obtained when χ=I=(i, 0, . . . , 0) is[r_(m)y_(m)]_(i) and g′(0) obtained when χ=0=(0, 0, . . . , 0) isr_(m)·y_(m).

The verification device determines that authentication is successfulwhen r_(m)y_(m)=0 is satisfied for all of m=0, . . . , M−1. On the otherhand, the verification device determines that authentication is failedwhen r_(m)y_(m)=0 is not satisfied for any of m=0, . . . , M−1.Processing of the verification device for the schemes 1 and 2 aredescribed below.

In the scheme 1, when the third concealed verification value[r_(m)y_(m)]_(i) is a secret sharing value conforming to a (K, N)Shamir's secret sharing scheme, at least κ pieces of third concealedverification values [r_(m)y_(m)]_(φ(1)), . . . , [r_(m)y_(m)]_(φ(κ))which are mutually different are inputted into a reconstruction unit ofthe verification device and the reconstruction unit of the verificationdevice reconstructs a verification value r_(m)y_(m) by using the thirdconcealed verification values [r_(m)y_(m)]_(φ(1)), . . . ,[r_(m)y_(m)]_(φ(κ)) and outputs the verification value r_(m)y_(m). Here,κ is a positive integer which is from 1 to N inclusive and {φ(1), . . ., φ(κ)}⊆{1, . . . , N} holds. For example, when the third concealedverification value [r_(m)y_(m)]_(i) is a secret sharing value conformingto the (2K−1, N) Shamir's secret sharing scheme, the reconstruction unitof the verification device reconstructs a verification value r_(m)y_(m)by using third concealed verification values [r_(m)y_(m)]_(φ(1)), . . ., [r_(m)y_(m)]_(φ(2K-1)) which are outputted from at least 2K−1 piecesof secure computation devices and outputs the verification valuer_(m)y_(m). A determination unit of the verification device determinesthat authentication is successful when r_(m)y_(m)=0 is satisfied in anyauthentication information w for all of in =0, . . . , M−1. On the otherhand, when r_(m)y_(m)=0 is not satisfied in all pieces of authenticationinformation w for any m, authentication is determined to be failed.Alternatively, in the scheme 1, the verification device may perform anoperation including secure computation using at least part of[r₀y₀]_(i), . . . , [r_(M-1)y_(M-1)]_(i) and reconstruction anddetermine whether or not r_(m)y_(m)=0 is satisfied for all of m=0, . . ., M−1 by using reconstructed values obtained through the operation. Forexample, the verification device may obtain secret sharing values [r₀y₀+. . . +r_(M-1)y_(M-1)], with secure computation using [r₀y₀]_(μ), . . ., [r_(M-1)y_(M-1)]_(i), and determine that r_(m)y_(m)=0 is satisfied forall of m=0, . . . , M−1 when r₀y₀+ . . . +r_(M-1)y_(M-1) reconstructedfrom these secret sharing values [r₀y₀+ . . . +r_(M-1)y_(M-1)]_(p) is 0or determine that r_(m)y_(m)=0 is not satisfied for any of m=0, . . . ,M−1 when r₀y₀+ . . . +r_(M-1)y_(M-1) is not 0. Here, μ=φ(1), . . . ,φ(κ) holds.

In the scheme 2, the verification device performs an operation withrespect to [r_(m)y_(m)]_(φ(1))+[R_(m)]_(φ(1))·I,[r_(m)y_(m)]_(φ(2))+[R_(m)]_(φ(2))·I, and[r_(m)y_(m)]_(φ(3))+[R_(m)]_(φ(3))·I by using[r_(m)y_(m)]_(φ(1))+[R_(m)]_(φ(1))·I,[r_(m)y_(m)]_(φ(2))+[R_(m)]_(φ(2))·I, and[r_(m)y_(m)]_(φ(3))+[R_(m)]_(φ(3))·I among the above-described fourthconcealed verification values [r_(m)y_(m)]_(i)+[R_(m)]_(i)·I inaccordance with the (3, N) Shamir's secret sharing scheme on theextension field F^(ε) of the order ε, and determines that authenticationis successful when r_(m)y_(m)=0 is satisfied for all of m=0, . . . ,M−1. For example, [r_(m)y_(m)]_(φ(1))+[R_(m)]_(φ(1))I,[r_(m)y_(m)]_(φ(2))+[R_(m)]_(φ(2))·I, and[r_(m)y_(m)]_(φ(3))+[R_(m)]_(φ(3))·I are inputted into thereconstruction unit of the verification device and the reconstructionunit of the verification device reconstructs a verification valuer_(m)y_(m) by using these and outputs the verification value r_(m)y_(m).The determination unit of the verification device determines thatauthentication is successful when r_(m)y_(m)=0 is satisfied in anyauthentication information w for all of m=0, . . . , M−1. On the otherhand, when r_(m)y_(m)=0 is not satisfied in all pieces of authenticationinformation w for any m, authentication is determined to be failed.Alternatively, in the scheme 2, the verification device may perform anoperation including secure computation using at least part of[r₀y₀]_(i″)+[R₀]_(i″)·I″, . . . ,[r_(M-1)y_(M-1)]_(i″)+[R_(M-1)]_(i′)·I″ and reconstruction and determinewhether or not r_(m)y_(m)=0 is satisfied for all of m=0, . . . , M−1 byusing reconstructed values obtained through the operation. Here,i″=φ(1), φ(2), φ(3) and I″=(i″, 0, . . . , 0)∈F_(ε) hold. For example,the verification device may obtain a secret sharing value [r₀y₀+ . . .+r_(M-1)y_(M-1)]_(i″) with secure computation using[r₀y₀]_(i″)+[R₀]_(i″)·I″, . . . ,[r_(M-1)y_(M-1)]_(i″)+[R_(M-1)]_(i″)·I″, and determine that r_(m)y_(m)=0is satisfied for all of m=0, . . . , M−1 when r₀y₀+ . . .+r_(M-1)y_(M-1) obtained by reconstructing the secret sharing value[r₀y₀+ . . . +r_(M-1)y_(M-1)]_(i″) is 0 or determine that r_(m)y_(m)=0is not satisfied for any of m=0, . . . , M−1 when r₀y₀+ . . .+r_(M-1)y_(M-1) is not 0.

In the above-described method, the use of the concealed extension fieldrandom number [r_(m)]_(i) can prevent generation of unauthorizedconcealed verification values, with which r_(m)y_(m)=0 is reconstructedeven when w−ω≠0, and resulting determination of successfulauthentication. Further, r_(m)y_(m)=0 is established irrespective of avalue of an extension field random number r_(m) when w−ω=0, so thatauthentication is not determined to be failed even when w−ω=0. Further,since each processing is performed with secure computation,authentication processing can be performed while keeping authenticationinformation secret. Thus, authentication processing with high level ofsecurity against spoofing can be performed while keeping authenticationinformation secret.

First Embodiment

A first embodiment according to the present invention is now describedwith reference to the accompanying drawings. The first embodiment is anexample of the scheme 1.

<Configuration>

As illustrated in FIG. 1, a secure computation authentication system 1according to the present embodiment includes a user device 11, aplurality of pieces of secure computation devices 12-1, . . . , 12-N,and a verification device 13 which are communicably connected via anetwork. N in the present embodiment denotes an integer which is 2 orgreater. Note that the secure computation authentication system 1 ofFIG. 1 includes a single piece of user device 11 and a single piece ofverification device 13 so as to simplify the description, but the securecomputation authentication system 1 may include two or more pieces ofuser devices 11 and/or verification devices 13.

As illustrated in FIG. 2, the secure computation device 12-i of thepresent embodiment includes an input unit 121-i, an output unit 122-i, acontrol unit 124-i, arithmetic units 125-i, 126-i, and 127-i, a randomnumber generation unit 128-i, a determination unit 129-i, and a storage123-i. The secure computation device 12-i executes each processing underthe control of the control unit 124-i and data obtained in each unit isstored in the storage 123-i and read out and used for other processingas needed. As illustrated in FIG. 3A, the user device 11 of the presentembodiment includes an input unit 111, an output unit 112, a controlunit 114, a concealment unit 115, and a display unit 116. The userdevice 11 executes each processing under the control of the control unit114 and data obtained in each unit is stored in a storage (not shown)and read out and used for other processing as needed. As illustrated inFIG. 3B, the verification device 13 of the present embodiment includesan input unit 131, an output unit 132, a control unit 134, areconstruction unit 136, and a determination unit 137. The verificationdevice 13 executes each processing under the control of the control unit134 and data obtained in each unit is stored in a storage (not shown)and read out and used for other processing as needed.

<Preprocessing>

A single piece or a plurality of pieces of concealed authenticationinformation [w]_(i)∈[F]^(L) which is/are pre-registered is/are stored inthe storage 123-i of each secure computation device 12-i (where i=1, . .. , N). Authentication information w itself is not made public to eachsecure computation device 12-i. A secret sharing scheme employed in thesecure computation authentication system 1 is predetermined, and theuser device 11, a plurality of pieces of secure computation devices12-1, . . . , 12-N, and the verification device 13 perform securecomputation with respect to a secret sharing value conforming to thissecret sharing scheme.

<Secure Computation Authentication Processing>

As illustrated in FIG. 4, a user first inputs authentication informationω into the input unit 111 of the user device 11 (FIG. 3A) (step S1111).The authentication information ω is transmitted to the concealment unit115, and the concealment unit 115 obtains and outputs concealedauthentication information [ω]_(i) (where i=1, . . . , N) which is asecret sharing value of this authentication information ω (step S115).The concealed authentication information [ω]_(i) is transmitted to theoutput unit 112, and the output unit 112 outputs the concealedauthentication information [ω]_(i) to each secure computation device12-i (step S1121).

As illustrated in FIG. 5, each concealed authentication information[ω]_(i) is transmitted to each secure computation device 12-i (FIG. 2)via a network and inputted into the input unit 121-i (step S121-i). Theconcealed authentication information [ω]_(i) is inputted into thedetermination unit 129-i. The determination unit 129-i reads out anyconcealed authentication information [w]_(i) (for example, any concealedauthentication information [w]_(i) to which processing on and after stepS1291-i has not been performed) from the storage 123-i (step S123-i) anddetermines whether or not the size of the concealed authenticationinformation [ω]_(i) and the size of the concealed authenticationinformation [w]_(i) are mutually identical (step S1291-i). When it isdetermined that these are not mutually identical, informationrepresenting “failure” is outputted (step S1221-i) and the processinggoes to step S1292-i.

On the other hand, when it is determined that the size of the concealedauthentication information [ω]_(i) and the size of the concealedauthentication information [w]_(i) are mutually identical, thearithmetic unit 125-i (first arithmetic unit) obtains a concealedverification value [z]_(i)=[w−ω]_(i) (first concealed verificationvalue) with secure computation by using these concealed authenticationinformation [ω]_(i) and concealed authentication information [w]_(i) asinputs and outputs the concealed verification value [z]_(i)(step S125-i,FIG. 7). The random number generation unit 128-i obtains and outputs aconcealed extension field random number [r_(m)]_(i) [F^(ε) ] (where m=0,. . . , M−1 and M=ceil(L/ε)) which is a secret sharing value of theextension field random number r_(m) (step S128-i, FIG. 7). Thearithmetic unit 126-i (second arithmetic unit) obtains a concealedverification value [y_(m)]_(i) (second concealed verification value) inwhich y_(m) is concealed with secure computation by using the concealedverification value [z]_(i) as an input and outputs the concealedverification value [y_(m)]_(i). Here, z=(z₀, . . . , z_(L-1))=w−ω,z_(j)∈F, j=0, . . . , L−1, and y_(m)=(z_(εm), . . . , z_(ε(m+1)-1))hold, and z_(q) by which q>L−1 is established among q=ε(M−1), . . . ,εM−1 is 0. That is, when Mε−L=0, each sequence obtained by dividing asequence of z₀, . . . , z_(L-1) by M is y_(m)=(z_(εm), . . . ,z_(ε(m+1)-1)), as illustrated in FIG. 7. When Mε−L≠0, y_(m)=(z_(εm), . .. , z_(ε(m+1)-1)) is established for m=0, . . . , M−2 and (z_(ε(M-1)), .. . , z_(L-1), 0, . . . , 0), which is composed of z_(ε(M-1)), . . . ,z_(L-1) and Mε−L pieces of 0, is y_(M-1) for m=M−1 (step S126-i). Thearithmetic unit 127-i (third arithmetic unit) obtains a concealedverification value [r_(m)y_(m)]_(i) (third concealed verification value)with secure computation by using the concealed extension field randomnumber [r_(m)]_(i) and the concealed verification value [y_(m)]_(i) asinputs and outputs the concealed verification value [r_(m)y_(m)]_(i),and the processing goes to step S1292-i (step S127-i).

In step S1292-i, whether or not processing on and after step S123-i hasbeen executed is determined for all pieces of concealed authenticationinformation [w]_(i) stored in the storage 123-i (step S1292-i). When theprocessing on and after step S123-i has not been executed for all piecesof concealed authentication information [w]_(i), the processing isreturned to step S123-i. On the other hand, when the processing on andafter step S123-i has been executed for all pieces of concealedauthentication information [w]_(i), the processing of step S1222-i isexecuted.

In step S1222-i, the concealed verification value [r_(m)y_(m)]_(i)obtained in step S127-i is inputted into the output unit 122-i. Whenthere is no concealed verification value [r_(m)y_(m)]_(i) obtained instep S127-i, information representing “failure” is inputted into theoutput unit 122-i. The output unit 122-i outputs the concealedverification value [r_(m)y_(m)]_(i) or the information representing“failure” to the verification device 13 (step S1222-i).

As illustrated in FIG. 6, the concealed verification value[r_(m)y_(m)]_(i) or the information representing “failure” istransmitted to the verification device 13 via a network and inputtedinto the input unit 131 of the verification device 13 (FIG. 3B) (stepS131). When the information representing “failure” is inputted,processing of step S1322 is executed. On the other hand, wheninformation representing the concealed verification value[r_(m)y_(m)]_(i) is inputted, processing on and after step S136 isexecuted (step S1370).

In step S136, the reconstruction unit 136 reconstructs the verificationvalue r_(m)y_(m) by using concealed verification values[r_(m)y_(m)]_(φ(1)), . . . , [r_(m)y_(m)]_(φ(κ)), which correspond to anidentical w, and outputs the verification value r_(m)y_(m). Here, {φ(1),. . . , φ(κ)}⊆{1, . . . , N} holds When it is determined thatr_(m)y_(m)=0 is satisfied for all of m=0, . . . , M−1, the determinationunit 137 outputs “information representing that authentication issuccessful” (step S1321). On the other hand, when it is determined thatr_(m)y_(m)=0 is not satisfied for any m, the determination unit 137subsequently determines whether or not processing of step S136 has beenperformed for all w (step S1372). When it is determined that processingof step S136 has not been performed for any w, the processing returns tostep S136. On the other hand, when it is determined that the processingof step S136 has been performed for all w, processing of step S1322 isexecuted. In step S1322, the determination unit 137 outputs “informationrepresenting that authentication is failed” (step S1322).

An authentication result which is the “information representing thatauthentication is successful” outputted in step S1321 or the“information representing that authentication is failed” outputted instep S1322 is inputted into the output unit 132. The output unit 132outputs the authentication result to the user device 11. Theauthentication result is inputted into the input unit 111 of the userdevice 11 (FIG. 3A) (step S1112) and displayed from the display unit 116(step S116).

Modification of First Embodiment

The verification device 13 may perform an operation including securecomputation using at least part of [r₀y₀]_(i), . . . ,[r_(M-1)y_(M-1)]_(i) and reconstruction and determine whether or notr_(m)y_(m)=0 is satisfied for all of m=0, . . . , M−1 by using areconstructed value obtained through the operation. As well as theabove-described example, the verification device 13 may obtain secretsharing values [r₀y₀+r₁y₁]_(μ), [r₂y₂+r₃y₃]_(μ), . . . ,[r_(M-2)y_(M-2)+r_(M-1)y_(M-1)]_(μ) with secure computation using[r₀y₀]_(μ), . . . , [r_(M-1)y_(M-1)]_(μ), and determine thatr_(m)y_(m)=0 is satisfied for all of m=0, . . . , M−1 when all ofr₀y₀+r₁y₁, r₂y₂+r₃y₃, . . . , r_(M-2)y_(M-2)+r_(M)·y_(M-1) reconstructedfrom these secret sharing values [r₀y₀+r₁y₁]_(μ), [r₂y₂+r₃y₃]_(μ), . . ., [r_(M-2)y_(M-2)+r_(M-1)y_(M-1)]_(μ) are 0 or determine thatr_(m)y_(m)=0 is not satisfied for any of in =0, . . . , M−1 when any ofr₀y₀+r₁y₁, r₂y₂+r₃y₃, . . . , r_(M-2)y_(M-2)+r_(M-1)y_(M-1) is not 0,for example.

Second Embodiment

A second embodiment according to the present invention is next describedwith reference to the accompanying drawings. The second embodiment is anexample of the scheme 2. Differences from the first embodiment aremainly described and description of common matters to the firstembodiment is simplified by referring to the same reference charactersbelow. Further, not explained one by one below, the present embodimentemploys the (2, N) Shamir's secret sharing scheme as a secret sharingscheme unless otherwise specifically noted.

<Configuration>

As illustrated in FIG. 1, a secure computation authentication system 2according to the present embodiment includes a user device 11, aplurality of pieces of secure computation devices 22-1, . . . , 22-N,and a verification device 23 which are communicably connected via anetwork. N in the present embodiment denotes an integer which is 3 orgreater. Note that the secure computation authentication system 2 ofFIG. 1 includes a single piece of user device 11 and a single piece ofverification device 23 so as to simplify the description, but the securecomputation authentication system 2 may include two or more pieces ofuser devices 11 and/or verification devices 23.

As illustrated in FIG. 2, the secure computation device 22-i of thepresent embodiment includes an input unit 121-i, an output unit 122-i, acontrol unit 124-i, arithmetic units 125-i, 126-i, 127-i, 223-i, and224-i, random number generation units 128-i and 228-i, a determinationunit 129-i, and a storage 123-i. The secure computation device 22-iexecutes each processing under the control of the control unit 124-i anddata obtained in each unit is stored in the storage 123-i and read outand used for other processing as needed. As illustrated in FIG. 3B, theverification device 23 of the present embodiment includes an input unit131, an output unit 132, a control unit 134, a reconstruction unit 236,and a determination unit 137. The verification device 23 executes eachprocessing under the control of the control unit 134 and data obtainedin each unit is stored in a storage (not shown) and read out and usedfor other processing as needed.

<Preprocessing>

Same as the first embodiment.

<Secure Computation Authentication Processing>

As illustrated in FIG. 4, the processing of steps S111, S115, and S1121described in the first embodiment is executed. Accordingly, eachconcealed authentication information [ω]_(i) outputted from the userdevice 11 is inputted into the input unit 121-i of each securecomputation device 22-i (FIG. 2) (step S121-i). Then, the processing ofsteps S123-i and S1291-i described in the first embodiment is executed,and information representing “failure” is outputted when it isdetermined that the size of the concealed authentication information[ω]_(i) and the size of the concealed authentication information [w]_(i)are not mutually identical in step S1291-i (step S1221-i), and theprocessing goes to step S1292-i. On the other hand, when it isdetermined that the size of the concealed authentication information[ω]_(i) and the size of the concealed authentication information [w]_(i)are mutually identical, the processing of steps S125-i, S128-i, S126-i,and S127-i described in the first embodiment is executed. In the presentembodiment, r_(m) F^(ε), _(r)s_(m)∈F^(ε), _(y)s_(m)∈F^(ε), I∈F^(ε),[r_(m)]_(i)=r_(m)+_(r)s_(m)·I²∈F^(ε),[y_(m)]_(i)=y_(m)+_(y)s_(m)·I∈F^(ε), and [r_(m)y_(m)]i=r_(m)·y_(m)+(r_(m)·_(y)s_(m)+_(r)s_(m)·y_(m))·I+_(r)s_(m)·_(y)s_(m)·I²∈F^(ε)hold.

After that, the random number generation unit 228-i (second randomnumber generation unit) obtains and outputs a concealed extension fieldrandom number (second concealed extension field random number)[R_(m)]_(i)=R_(m)+_(R)s_(m)·I∈F^(ε) which is a secret sharing value ofthe extension field random number (second extension field random number)R_(m)∈F^(ε) (step S228-i). Then, the arithmetic unit 223-i (fourtharithmetic unit) multiplies the concealed extension field random number[R_(m)]_(i) by I on the extension field F^(ε) of the order ε to obtainand output an extension field multiplication value[R_(m)]_(i)·I=R_(m)·I+_(R)s_(m)·I²∈F^(ε). Here, _(R)s_(m)∈F^(ε) holds(step S223-i). Further, the arithmetic unit 224-i (fifth arithmeticunit) obtains a concealed verification value (fourth concealedverification value)[r_(m)y_(m)]_(i)+[R_(m)]_(i)·I=r_(m)·y_(m)+(r_(m)·_(y)s_(m)+_(r)s_(m)·y_(m)+R_(m))·I+(_(r)s_(m)·_(y)s_(m)+_(R)s_(m))·I²∈F^(ε)by using the concealed verification value [r_(m)y_(m)]_(i) and theextension field multiplication value [R_(m)]_(i)·I and outputs theconcealed verification value [r_(m)y_(m)]_(i)+[R_(m)]_(i)·I (stepS224-i).

In step S1292-i, whether or not processing on and after step S123-i hasbeen executed is determined for all pieces of concealed authenticationinformation [w]_(i) stored in the storage 123-i (step S1292-i). When theprocessing on and after step S123-i has not been executed for all piecesof concealed authentication information [w]_(i), the processing isreturned to step S123-i. On the other hand, when the processing on andafter step S123-i has been executed for all pieces of concealedauthentication information [w]_(i), the processing of step S2222-i isexecuted.

In step S2222-i, the concealed verification value[r_(m)y_(m)]_(i)+[R_(m)]_(i)·I obtained in step S224-i is inputted intothe output unit 122-i. When there is no concealed verification valuesobtained in step S224-i, information representing “failure” is inputtedinto the output unit 122-i. The output unit 122-i outputs the concealedverification value [r_(m)y_(m)]_(i)+[R_(m)]_(i)·I or the informationrepresenting “failure” to the verification device 13 (step S2222-i).

As illustrated in FIG. 6, the concealed verification value[r_(m)y_(m)]_(i)+[R_(m)]_(i)·I or the information representing “failure”is transmitted to the verification device 23 via a network and inputtedinto the input unit 131 of the verification device 23 (FIG. 3B) (stepS231). When the information representing “failure” is inputted,processing of step S1322 is executed. On the other hand, wheninformation representing the concealed verification value[r_(m)y_(m)]_(i)+[R_(m)]_(i)·I is inputted, processing on and after stepS236 is executed.

In step S236, the reconstruction unit 236 reconstructs the verificationvalue r_(m)y_(m) by using [r_(m)y_(m)]_(K(1))+[R_(m)]_(K(1))·I,[r_(m)y_(m)]_(K(2))+[R_(m)]_(K(2))·I, and[r_(m)y_(m)]_(K(3))+[R_(m)]_(K(3))·I in accordance with the (3, N)Shamir's secret sharing scheme and outputs the verification valuer_(m)y_(m). Here, {K(1), K(2), K(3)}⊆{1, . . . , N} holds (step S236).The determination unit 137 determines whether or not r_(m)y_(m)=0 issatisfied for all of m=0, . . . , M−1 by using r₀y₀, . . . ,r_(M-1)y_(M-1) as inputs (step S1371). When it is determined thatr_(m)y_(m)=0 is satisfied for all of m=0, . . . , M−1, the determinationunit 137 outputs “information representing that authentication issuccessful” (step S1321). On the other hand, when it is determined thatr_(m)y_(m)=0 is not satisfied for any m, the determination unit 137subsequently determines whether or not processing of step S236 has beenperformed for all w (step S1372). When it is determined that theprocessing of step S236 has not been performed for any w, the processingreturns to step S236. On the other hand, when it is determined thatprocessing of step S236 is performed for all w, processing of step S1322is executed. In step S1322, the determination unit 137 outputs“information representing that authentication is failed” (step S1322).Processing on and after this is the same as that of the firstembodiment.

Modification of Second Embodiment

The verification device 23 may perform an operation including securecomputation using at least part of [r₀y₀]_(i″)+[R₀]_(i″)·I″, . . . ,[r_(M-1)y_(M-1)]_(i′)+[R_(M-1)]_(i″)·I″ and reconstruction and determinewhether or not r_(m)y_(m)=0 is satisfied for all of m=0, . . . , M−1 byusing a reconstructed value obtained through the operation. Here,i″=φ(1), φ(2), φ(3) and I″=(i″, 0, . . . , 0)∈F^(ε) hold. As well as theabove-described example, the verification device 23 may generate secretsharing values for r₀y₀+r₁y₁, r₂y₂+r₃y₃, . . . ,r_(M-2)y_(M-2)+r_(M-1)y_(M-1) with secure computation using[r₀y₀]_(i″)+[R₀]_(i″)·I″, . . . ,[r_(M-1)y_(M-1)]_(i″)+[R_(M-1)]_(i″)·I″, and determine that r_(m)y_(m)=0is satisfied for all of m=0, . . . , M−1 when all of r₀y₀+r₁y₁,r₂y₂+r₃y₃, . . . , r_(M-2)y_(M-2)+r_(M-1)y_(M-1) reconstructed fromthese secret sharing values are 0 or determine that r_(m)y_(m)=0 is notsatisfied for any of m=0, . . . , M−1 when any of r₀y₀+r₁y₁, r₂y₂+r₃y₃,. . . , r_(M-2)y_(M-2)+r_(M-1)y_(M-1) is not 0.

[Modification Etc.]

The present invention is not limited to the above-described embodiments.For example, at least part of the secure computation devices 12-1 to12-N (for example, all of the secure computation devices 12-1 to 12-N)may include the user device 11 and/or include the verification device13. Further, all secret sharing values handled in each unit of eachdevice may conform to the same secret sharing scheme or do not have todo so. In the latter case, a secret sharing value conforming to aspecific secret sharing scheme may be converted into a secret sharingvalue conforming to another secret sharing scheme by a well-known secretsharing value conversion method. Further, “obtaining β by using α” maybe calculating β through computation using α or extracting β which hasbeen preliminarily computed by retrieval processing using α.

The above-described various kinds of processing may be executed, inaddition to being executed in chronological order in accordance with thedescriptions, in parallel or individually depending on the processingpower of a device that executes the processing or when necessary. Inaddition, it goes without saying that changes may be made as appropriatewithout departing from the spirit of the present invention.

The above-described each device is embodied by execution of apredetermined program by a general- or special-purpose computer having aprocessor (hardware processor) such as a central processing unit (CPU),memories such as random-access memory (RAM) and read-only memory (ROM),and the like, for example. The computer may have one processor and onememory or have multiple processors and memories. The program may beinstalled on the computer or pre-recorded on the ROM and the like. Also,some or all of the processing units may be embodied using an electroniccircuit that implements processing functions without using programs,rather than an electronic circuit (circuitry) that implements functionalcomponents by loading of programs like a CPU. An electronic circuitconstituting a single device may include multiple CPUs.

When the above-described configurations are implemented by a computer,the processing details of the functions supposed to be provided in eachdevice are described by a program. As a result of this program beingexecuted by the computer, the above-described processing functions areimplemented on the computer. The program describing the processingdetails can be recorded on a computer-readable recording medium. Anexample of the computer-readable recording medium is a non-transitoryrecording medium. Examples of such a recording medium include a magneticrecording device, an optical disk, a magneto-optical recording medium,and semiconductor memory.

The distribution of this program is performed by, for example, selling,transferring, or lending a portable recording medium such as a DVD or aCD-ROM on which the program is recorded. Furthermore, a configurationmay be adopted in which this program is distributed by storing theprogram in a storage device of a server computer and transferring theprogram to other computers from the server computer via a network.

The computer that executes such a program first, for example,temporarily stores the program recorded on the portable recording mediumor the program transferred from the server computer in a storage devicethereof. At the time of execution of processing, the computer reads theprogram stored in the storage device thereof and executes the processingin accordance with the read program. As another mode of execution ofthis program, the computer may read the program directly from theportable recording medium and execute the processing in accordance withthe program and, furthermore, every time the program is transferred tothe computer from the server computer, the computer may sequentiallyexecute the processing in accordance with the received program. Aconfiguration may be adopted in which the transfer of a program to thecomputer from the server computer is not performed and theabove-described processing is executed by so-called application serviceprovider (ASP)-type service by which the processing functions areimplemented only by an instruction for execution thereof and resultacquisition.

Instead of executing a predetermined program on the computer toimplement the processing functions of the present devices, at least someof the processing functions may be implemented by hardware.

DESCRIPTION OF REFERENCE NUMERALS

-   -   1, 2 secure computation authentication system    -   11 user device    -   12-i, 22-i secure computation device    -   13, 23 verification device

1: A secure computation device, in which L is an integer which is 1 orgreater, s is an integer which is 2 or greater, F is a finite field,F^(ε) is an extension field of the finite field F, an extension degreeof the extension field F^(ε) is E, ceil(x) is a minimum integer which isequal to or greater than a real number x, M=ceil(L/ε) holds, j=0, . . ., L−1 holds, and m=0, . . . , M−1 holds, the secure computation devicecomprising: a storage that stores concealed authentication information[w]_(i)∈[F]^(L) which is a secret sharing value of authenticationinformation w; an input unit that receives input of concealedauthentication information [ω]_(i)∈[F]^(L) which is a secret sharingvalue of authentication information w; a first arithmetic unit thatobtains a first concealed verification value [z]_(i)=[w−ω]_(i) withsecure computation by using the concealed authentication information[w]_(i) and the concealed authentication information [ω]_(i); a randomnumber generation unit that obtains a concealed extension field randomnumber [r_(m)]_(i)∈[F^(ε)] which is a secret sharing value of anextension field random number r_(m); a second arithmetic unit thatobtains a second concealed verification value [y_(m)]_(i) in which y_(m)is concealed with secure computation by using the first concealedverification value [z]_(i), where z=(z₀, . . . , z_(L-1))=w−ω holds,z_(j)∈F holds, y_(m)=(z_(εm), . . . , z_(ε(m+1)-1)) holds for m=0, . . ., M−1, and z_(q) by which q>L−1 is established among q=ε(M−1), . . . ,εM−1 is 0; and a third arithmetic unit that obtains a third concealedverification value [r_(m)y_(m)]_(i) with secure computation by using theconcealed extension field random number [r_(m)] and the second concealedverification value [y_(m)]_(i) and outputs the third concealedverification value [r_(m)y_(m)]_(i). 2: The secure computation deviceaccording to claim 1, wherein M is an integer which is 2 or greater. 3:The secure computation device according to claim 1 or 2, wherein K and Nare integers which are 2 or greater, where K≤N holds, the concealedextension field random number [r_(m)]_(i) is a secret sharing valueconforming to a (K, N) Shamir's secret sharing scheme, the secondarithmetic unit obtains the second concealed verification value[y_(m)]_(i) by joining members of a sequence representing the firstconcealed verification value [z], the third arithmetic unit obtains thethird concealed verification value [r_(m)y_(m)]_(i) by using the secondconcealed verification value [y_(m)]_(i) as a secret sharing valueconforming to the (K, N) Shamir's secret sharing scheme, and the thirdconcealed verification value [r_(m)y_(m)]_(i) is a secret sharing valueconforming to a (2K−1, N) Shamir's secret sharing scheme. 4: The securecomputation device according to claim 3, wherein K=2 holds. 5: Thesecure computation device according to claim 4, in which r_(m)∈^(ε),_(r)s_(m)∈F^(ε), _(y)s_(m)∈F_(ε), _(R)s_(m)∈F^(ε), I∈F^(ε),[r_(m)]_(i)=r_(m)+_(r)s_(m)·I∈F^(ε),[y_(m)]_(i)=y_(m)+_(y)s_(m)·I∈F^(ε), and[r_(m)y_(m)]_(i)=r_(m)·y_(m)+(r_(m)·_(y)s_(m)+_(r)s_(m)·y_(m))·I+_(r)s_(m)·_(y)s_(m)·I²∈F^(ε)hold, the secure computation device further comprising: a second randomnumber generation unit that obtains a second concealed extension fieldrandom number [R_(m)]_(i)=R_(m)+_(R)s_(m)·I∈F^(ε) which is a secretsharing value of a second extension field random number R_(m)∈F^(ε); afourth arithmetic unit that obtains an extension field multiplicationvalue [R_(m)]_(i)·I=R_(m)·I+_(R)s_(m)·I²∈F^(ε); and a fifth arithmeticunit that obtains and outputs a fourth concealed verification value[r_(m)y_(m)]_(i)+[R_(m)]_(i)·I=r_(m)·y_(m)+(r_(m)·_(y)s_(m)+_(r)s_(m)·y_(m)+R_(m))·I+(_(r)s_(m)·_(y)s_(m)+_(R)s_(m))·I²ΣF^(ε).6: A secure computation authentication system comprising: a plurality ofsecure computation devices; and a verification device, wherein L is aninteger which is 1 or greater, s is an integer which is 2 or greater, Fis a finite field, F^(ε) is an extension field of the finite field F, anextension degree of the extension field F^(ε) is ε, ceil(x) is a minimuminteger which is equal to or greater than a real number x, M=ceil(L/ε)holds, j=0, . . . , L−1 holds, and m=0, . . . , M−1 holds, each of thesecure computation devices includes a storage that stores concealedauthentication information [w]_(i)∈[F]^(L) which is a secret sharingvalue of authentication information w, a first input unit that receivesinput of concealed authentication information [ω]_(i)∈[F]^(L) which is asecret sharing value of authentication information ω, a first arithmeticunit that obtains a first concealed verification value [z]_(i)=[w−ω]_(i)with secure computation by using the concealed authenticationinformation [w]_(i) and the concealed authentication information[ω]_(i), a random number generation unit that obtains a concealedextension field random number [r_(m)]_(i)∈[F^(ε)] which is a secretsharing value of an extension field random number r_(m), a secondarithmetic unit that obtains a second concealed verification value[y_(m)]_(i) in which y_(m) is concealed with secure computation by usingthe first concealed verification value [z]_(i), where z=(z₀, . . . ,z_(L-1))=w−ω holds, z_(j)∈F holds, y_(m)=(z_(εm), . . . , z_(ε(m+1)-1))holds for m=0, . . . , M−1, and z_(q) by which q>L−1 is establishedamong q=s(M−1), . . . , εM−1 is 0, and a third arithmetic unit thatobtains a third concealed verification value [r_(m)y_(m)]_(i) withsecure computation by using the concealed extension field random number[r_(m)]_(i) and the second concealed verification value [y_(m)]_(i) andoutputs the third concealed verification value [r_(m)y_(m)]_(i), and theverification device determines that authentication is successful whenr_(m)y_(m)=0 is satisfied for all of m=0, . . . , M−1. 7: The securecomputation authentication system according to claim 6, wherein N piecesof the secure computation devices are provided, N is an integer which is3 or greater, the concealed extension field random number [r_(m)]_(i) isa secret sharing value conforming to a (2, N) Shamir's secret sharingscheme, the second arithmetic unit obtains the second concealedverification value [y_(m)]_(i) by joining members of a sequencerepresenting the first concealed verification value [z]_(i), the thirdarithmetic unit obtains the third concealed verification value[r_(m)y_(m)]_(i) by using the second concealed verification value[y_(m)]_(i) as a secret sharing value conforming to the (2, N) Shamir'ssecret sharing scheme, r_(m)εF^(ε), _(r)s_(m)∈F^(ε), _(y)s_(m)∈F^(ε),_(r)s_(m)∈F^(ε), I∈F^(ε), [r_(m)]_(i)=r_(m)+_(r)s_(m)·I∈F^(ε),[y_(m)]_(i)=y_(m)+_(y)s_(m)·I∈F^(ε),[r_(m)y_(m)]_(i)=r_(m)·y_(m)+(r_(m)·_(y)s_(m)+_(r)s_(m)·y_(m))·I+_(r)s_(m)·_(y)s_(m)·I²∈F^(ε),and i=1, . . . , N hold, each of the secure computation devices furtherincludes a second random number generation unit that obtains a secondconcealed extension field random number[R_(m)]_(i)=R_(m)+_(R)s_(m)·I∈F^(ε) which is a secret sharing value of asecond extension field random number R_(m)∈F^(ε), a fourth arithmeticunit that obtains an extension field multiplication value[R_(m)]_(i)·I=R_(m)·I+_(R)s_(m)·I²∈F^(ε), and a fifth arithmetic unitthat obtains and outputs a fourth concealed verification value[r_(m)y_(m)]_(i)+[R_(m)]_(i)·I=r_(m)·y_(m)+(r_(m)·_(y)s_(m)+_(r)s_(m)·y_(m)+R_(m))·I+(_(r)s_(m)·_(y)s_(m)+_(R)s_(m))·I²∈F^(ε),and the verification device performs an operation with respect to[r_(m)y_(m)]_(φ(1))+[R_(m)]_(φ(1))·I,[r_(m)y_(m)]_(φ(2))+[R_(m)]_(φ(2))·I,and[r_(m)y_(m)]_(φ(3))+[R_(m)]_(φ(3))·I for {φ(1), φ(2), φ(3)}⊆{1, . . ., N} in accordance with a (3, N) Shamir's secret sharing scheme, anddetermines that authentication is successful when r_(m)y_(m)=0 issatisfied for all of m=0, . . . , M−1. 8: A secure computation method ofa secure computation device, in which L is an integer which is 1 orgreater, ε is an integer which is 2 or greater, F is a finite field,F^(ε) is an extension field of the finite field F, an extension degreeof the extension field F^(ε) is ε, ceil(x) is a minimum integer which isequal to or greater than a real number x, M=ceil(L/ε) holds, j=0, . . ., L−1 holds, and m=0, . . . , M−1 holds, the secure computation methodcomprising: an input step in which an input unit receives input ofconcealed authentication information [ω]_(i)∈[F]^(L) which is a secretsharing value of authentication information ω; a first arithmetic stepin which a first arithmetic unit obtains a first concealed verificationvalue [z]_(i)=[w−ω]_(i) with secure computation by using the concealedauthentication information [w]_(i)∈[F]^(L), the concealed authenticationinformation [w]_(i) being a secret sharing value of authenticationinformation w, and the concealed authentication information [ω]_(i); arandom number generation step in which a random number generation unitobtains a concealed extension field random number [r_(m)]_(i)∈[F^(ε)]which is a secret sharing value of an extension field random numberr_(m); a second arithmetic step in which a second arithmetic unitobtains a second concealed verification value [y_(m)]_(i) in which y_(m)is concealed with secure computation by using the first concealedverification value [z]_(i), where z=(z₀, . . . , z_(L-1))=w−ω holds,z_(j)∈F holds, y_(m)=(z_(εm), . . . , z_(ε(m+1)-1)) holds for m=0, . . ., M−1, and z_(q) by which q>L−1 is established among q=ε(M−1), . . . ,εM−1 is 0; and a third arithmetic step in which a third arithmetic unitobtains a third concealed verification value [r_(m)y_(m)]_(i) withsecure computation by using the concealed extension field random number[r_(m)]_(i) and the second concealed verification value [y_(m)]_(i). 9:A program for making a computer function as the secure computationdevice according to claim 1.